What California's DROP Program Means for You (And Why It Matters If You're Not in California)

For years, removing your personal information from data broker sites meant submitting individual opt-out requests to each company separately — 200+ sites, each with its own process, timeline, and tendency to re-add your data after removal. California's DELETE Act, signed into law in 2023, was designed to change that.

The Delete Request and Opt-Out Platform — DROP — is the infrastructure that makes it real. Understanding what it does (and what it doesn't) matters whether you live in California or not.

What DROP Actually Is

DROP is a state-operated portal run by the California Privacy Protection Agency (CPPA). California residents can submit a single opt-out request through DROP, and that request gets forwarded to every data broker registered with the state.

Instead of 200+ individual requests, you make one. The brokers are legally required to process it within 45 days.

The operative word is "registered." California requires data brokers that collect and sell California residents' data to register with the state and pay an annual fee. The registry is public — you can look up every registered broker at cppa.ca.gov. As of 2026, there are hundreds of registered brokers, though not every people-search site is on the list (either because they haven't complied, or because California hasn't caught up to them yet).

Who Can Use DROP

California residents only. You don't need to be a California citizen — residency is the requirement. The CPPA uses a simple self-attestation model: you certify that you're a California resident when submitting your request.

If you've lived in California recently but have since moved, it's less clear. The law is tied to current residency. If you're not sure whether you qualify, the safest read is to use DROP if you currently live in California.

What DROP Removes — And What It Doesn't

DROP handles deletion requests and opt-out-of-sale requests. When you submit a deletion request, registered brokers are required to delete your personal information within 45 days. When you submit an opt-out-of-sale request, they must stop selling your data.

Important limitations:

• Registered brokers only. Data brokers who haven't registered with California are outside DROP's reach. The CPPA can pursue enforcement against non-registered brokers — and does — but the portal itself only reaches the compliant list.
• Data doesn't stay gone. DROP doesn't prevent brokers from re-ingesting your data when they update their sources. If you appear in a new public record (a new property deed, a new voter registration), brokers can add you again. DROP gives you ongoing rights, not a permanent solution.
• Not all data types covered. DROP focuses on data brokers as defined by California law. This doesn't include social media platforms, search engines, or news publishers.

How to Submit a DROP Request

The portal is at cppa.ca.gov/drop. You'll need to:

1. Create an account with your name and California address
2. Verify your identity (the CPPA uses a light identity verification step)
3. Select whether you want deletion, opt-out-of-sale, or both
4. Submit — the CPPA forwards your request to all registered brokers

You'll receive confirmations as brokers process your request. The CPPA tracks compliance, and non-compliant brokers can face fines up to $200 per intentional violation per consumer per day.

Why This Matters If You're Not in California

California has historically set the pace for US privacy law. CCPA (2018) was the first comprehensive consumer privacy law in the US and directly pushed companies to extend some privacy rights nationally because managing two separate systems was operationally easier than California-only compliance.

DROP is seeing the same dynamic. States including Texas, Vermont, and Illinois are actively studying California's model. The Data Broker Registration and Opt-Out Act (federal) has been introduced in Congress multiple times — DROP gives legislators a working implementation to point to.

The other reason it matters: DROP creates enforcement pressure. The CPPA has real teeth — it can audit brokers, pull their registration, and issue fines. Every state that doesn't have DROP-style legislation still has residents using these same data broker sites. Federal momentum depends partly on DROP working in California.

The Enforcement Picture

The CPPA has been active. In 2025, they sent warning letters to 24 data brokers who weren't registered. Several subsequently registered; others were referred for enforcement proceedings. The financial penalties are significant enough that most large brokers have opted for compliance over risk.

That said, the long tail of small data broker sites — smaller people-search directories, regional marketing list sellers — is harder to police. The CPPA acknowledges that enforcement resources limit how aggressively they can pursue every non-compliant broker simultaneously.

Other State Privacy Laws Worth Knowing

If you're not in California, your options depend on where you live:

• Texas: Data Broker List Act requires registration and opt-outs, similar framework to California but without a unified portal yet
• Vermont: Has had data broker registration since 2018, but without a DROP-equivalent portal
• Virginia, Colorado, Connecticut: Comprehensive privacy laws that include opt-out rights for certain data uses, but not specifically targeting data brokers with California's specificity
• Federal: No comprehensive national data broker opt-out right exists yet as of mid-2026. The American Privacy Rights Act has passed committee but not the full Congress

What You Should Do Right Now

If you're a California resident: submit a DROP request. It's the single highest-leverage action you can take for your data privacy — one request reaches every registered broker simultaneously.

If you're not in California: start with the largest data broker sites individually. Spokeo, Whitepages, Radaris, BeenVerified, Intelius, and PeopleFinder account for the majority of people-search traffic. Opt-out guides for each are on this site. Or consider a data removal service — Incogni, DeleteMe, or Optery will handle the submissions across all of them.

The landscape is improving. DROP is the clearest proof that government infrastructure can make privacy rights actually usable rather than theoretical. It won't be the last program like it.